Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected

Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution.
The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS score: 9.8), which also came under active exploitation shortly after public disclosure.
"An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution," according to the Apache advisory.
In other words, successful exploitation of the flaw could allow a malicious actor to upload arbitrary payloads to susceptible instances, which could then be leveraged to run commands, exfiltrate data, or download additional payloads for follow-on exploitation.
The vulnerability impacts the following versions, and has been patched in Struts 6.4.0 or greater -
- Struts 2.0.0 - Struts 2.3.37 (End-of-Life),
- Struts 2.5.0 - Struts 2.5.33, and
- Struts 6.0.0 - Struts 6.3.0.2
Dr. Johannes Ullrich, dean of research for SANS Technology Institute, said that an incomplete patch for CVE-2023-50164 may have led to the new problem, adding exploitation attempts matching the publicly-released proof-of-concept (PoC) have been detected in the wild.
"At this point, the exploit attempts are attempting to enumerate vulnerable systems," Ullrich noted. "Next, the attacker attempts to find the uploaded script. So far, the scans originate only from 169.150.226[.]162."
To mitigate the risk, users are recommended to upgrade to the latest version as soon as possible and rewrite their code to use the new Action File Upload mechanism and related interceptor.
"Apache Struts sits at the heart of many corporate IT stacks, driving public-facing portals, internal productivity applications, and critical business workflows," Saeed Abbasi, product manager of Threat Research Unit at Qualys, said. "Its popularity in high-stakes contexts means that a vulnerability like CVE-2024-53677 could have far-reaching implications."
Meta Fined €251 Million for 2018 Data Breach Impacting 29 Million Accounts
BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356)
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalContent Security Policy (CSP) Report-Only Header Found
InformationalRe-examine Cache-control Directives
MediumInsecure HTTP Method
InformationalSec-Fetch-Dest Header Has an Invalid Value
InformationalAuthentication Request Identified
CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE-1315 Improper Setting of Bus Controlling Capability in Fabric End-point
CWE-66 Improper Handling of File Names that Identify Virtual Resources
Free online web security scanner